Two months into the operation of the MJ Freeway / LeafData software in Washington State and we’re still seeing epic data integrity failures. This is the system that failed to launch on Nov 1st 2017, missed the second launch attempt on Jan 1st 2018 and has left us with this broken system beginning Feb 1st.
One of the key features that this system is supposed to provide is the unique identifiers necessary for tracking the materials.

Yet another failure by MJ Freeway / LeafData in their endavour in Washington.
It appears that on March 25th, at 6:45 AM UTC (about 22:45 Seattle Time) there was an update deployed to the LeafData system. This time, they’ve mangled the date formats so badly that their own preferred language (PHP) has difficulty interpreting it (strtotime). No release notes were included, this change was not announced.
Date Format History Back in December of 2017, before this dumpster fire was even launched (it was in it’s first delay period) I requested that MJ Freeway format all dates using the ISO 8601/RFC3339 standard format.

Today the WSLCB and MJ FailWhale/LeakData have once again demonstrated their incompetence and negligence.
Mary Mueller, the CIO of the LCB sent this out today (we received at 18:31 Pacific Time)
Good evening, gang, I know that we were hoping to get this out earlier, but I wanted to let you know that we did find a couple of defects in release 1.35.4.1. Due to the severity of the issue to be fixed, I have reluctantly approved this to roll to Test ASAP and Prod tonight.

MJ Freeway / LeafData Epic Failure The LCB (after may delays) finally decided to “launch” the LeafData platform. The first few days have been a epic failure. There are 100s of businesses that cannot even operate now.
First, there was the disaster of the Secure Access Washington (“SAW”) system. All the cannabis business owners needed access LeafData after a sign-in via SAW. However, due to record-keeping errors on the part of the LCB many of these businesses had a mis-match between their SAW email and their LeafData emails.

The MJ Freeway / LeafData system will be launching in Washington in a few days (Feb 1st). This is the system that failed to launch Nov 1st, and then failed again to launch on Jan 1st. Third time is the charm, right?
State of the System What we have now is a product that is very, very rough around the edges.
Third party software vendors, like us, were told we would have API stability in December.

Once again, MJ Freeway/Leaf Data Systems has failed to launch their platform for the State of Washington. Originally they had set a foolishly aggressive schedule of a November 1st, 2017 launch, which they failed. This was followed up by a second, aggressive schedule of January 1st, 2018. An announcement was made on December 22nd, 2017 that the January deadline would not be met.
Some History In May we all knew that BioTrackTHC was out on October 31st.

On Nov 1st the Washington State cannabis tracking infrastructure operated by the WSLCB went offline, rather abruptly. The WSLCB had issued a contingency plan the week before, however the plan was rough and kept changing day over day with work-arounds and odd modifications to the status-quo. BioTrackTHC’s contact with the WSLCB had terminated on Oct 31st and the replacement system was not operational (estimated delivery date is Jan 2, 2018).

Here is a pretty serious bug in the Washington State Traceabilty system that is powered by BioTrackTHC.
In the object descriptors provided by the BioTrack API there is a field called ‘sessiontime’. This value is populated with the time the object was last modified, generally. On the QA results API calls however this field is populated with the time the API call is made. So, each call to lookup the QA results reports a different timestamp.

Through the Freedom of Information Act we are able to obtain database dumps from the Washington State BioTrack database. Here’s a small anomaly we’ve noticed on this one.
Keep in mind, this is a system that is supposed to guarantee unique identifiers for all plants and inventory and provide robust tracking.
select id from inventory group by id having count(id) > 1;<br /> 0214523902408153<br />
Everyone knows that quality database systems don’t enforce unique indexes on their system.

Yet another data inconsistency in the BioTrackTHC system for Washington State. In this case we see the system indicate an Inventory Adjustment – but there is no corresponding record to the Inventory itself. Either the original Inventory records have been dropped from sync, or the Adjust data-set is improperly including this one.
{ "atype": 4, "inventoryid": "9385560946883972", "location": "412457", "new_quantity": "0.000000", "previous_quantity": "2187.902796695", "reason": "Originally entered with stems and once reprocessed to remove them, the system was not updated to reflect the loss in tonnage.

Today BioTrackTHC+WSLCB released another update to the API; again with zero advance notice for third party integrators. At the end of Friday an announcement was provided which details the changes. This leaves integrators (such as WeedTraQR) in the lurch. Now, we have to work through the weekend to integrate these critical updates.
On multiple occasions WeedTraQR has communicated to both BioTrackTHC and the WSLCB how to deploy updates to an API.

The authentication system for this API is a fucking joke. Rather than use established standards like oAuth or hash-tokens they require that users of the API use the SAME CREDENTIALS that are used to sign-in to their system. This is a KNOWN ANTI-PATTERN in the technical world for many reasons.
It’s problematic because it requires integrators to keep this password on file. If there were any security issues in the integrator platform it could expose this BioTrack credentials.

BioTrackTHC abruptly changed their API On Saturday, May 28th with zero notice to any of the third party integrators in Washington State.
The change this time created a new value for the LocationType field of the Vendor objects. The new value is ‘9’.
BioTrackTHC also (silently) published an updated API document (https://biotrackthc.com/sites/default/files/state-docs/JSON-21.pdf). This new documentation introduces functionality for manifests to be transported by third parties. However, no mention is made about LocationType 9.

Once again BioTrackTHC has modified their API with zero notice to the third party integrator. The API in question this time is inventory_manifest_lookup. This API takes only one parameter, a six digit license ID.
Prior to May 14th, if one was to query this API using an in-active license ID it would respond with the message:
{ "error": "No inbound transfers or pending manifests found.", "errorcode": "602", "success": 0 } Then, the API changed on May 14th without notice.

There appears to be a bit of a discrepancy with how the BioTrackTHC system handles the QA results.
Sometimes it shows the results are there and keeps the association with the parent ID.
In other cases that relationship seems to be lost and one must know a sub-lot of a sub-lot ID to find the results.
Oh, and in that specific case one API call shows no results and another API call does provide QA results.

Here is documentation about yet another data error we’ve found in the Washington State Marijuana Traceability system that is operated by BioTrackTHC
A client, who shall remain nameless, brought to our attention that a specific product name was being displayed for 100s of items in their WeedTraQR system but not in their BioTrackTHC Commercial version, nor was this product name showing in the BioTrackTHC Free version. We inspected the data we get from the BioTrackTHC API and found this product name was included, and therefore displayed in WeedTraQR.

Since WeedTraQR is directly involved in the regulated marijuana business in Washington State we’re able to see first-hand some of the technical issues. One issue that has cropped up recently, affecting two of the last 64 transport manifests our customers have sent to the State are failing. The reason they are failing? The receiving party cannot locate these items in their system.
Marijuana Transport Manifest The transport manifest implementation in Washington is a two part handshake.

In Washington all marijuana producers and processors are required to report details about their business to the State. Some of this data includes weights. Washington State has, effectively, zero control or accuracy with the weights recorded in this system. The inconsistencies in the operation of this software points to an even larger problem: A core function of tracking this inventory, the weight, is not handled consistently or correctly.

Any traceability/tracking system requires some type of labeling or identifiers to be attached on or around the items in question. These can be Barcodes, Stickers, NFC, RFID or any number of other options for tagging physical objects.
In Washington State specifically we are using 16 digit identifiers issued by the State. The State supplied system provides a printed label that includes a C128B barcode as well. The generated documents are PDFs designed to print on small single-shot label printers like a Zebra or Dymo.

In Washington State, we’ve got three markets for buying marijuana. The dark-market (DMJ), medical (MMJ) and recreational (RMJ). This is causing some havoc in the space for many of the participants.
For the dark-market side; where the costs to the consumer are lowest (~5-7/g) their sales have been slowing; but gradually. They already felt competition from MMJ. Consumers from the black-market can easily transition to the Recreational side but the costs are much higher.

This post is targeted to all you technical folks out there who ever tried to use the BioTrackTHC APIs in Washington State. As you’ve likely noticed this API is a poor implementation. Here are some details of what makes it so crappy.
Not a REST style May moons ago (c2000) internet software engineers came up with a methodology called REST. It’s an elegant, best-practices way to design computer-to-computer interfaces (APIs).

The design of the Inventory Transfer Manifest system by the State of Washington is causing massive headaches for the Producers, Processor and Retailers here.
The core of the problem is the lack of flexibility in the system. The root cause is either in the regulations or the implementation of said regulations. Really however, what caused it to be broken is less important for the business owners because they need to fix problems in the broken system today – not 24 months ago when these problems were being created.

Tracking Recreational Marijuana Inventory from Seed to Sale is very close to being a real situation in multiple states, it’s four as of this writing and many more are talking about relaxing their laws around medical use and even starting conversations about recreational use.
“Traceability” is a fancy word for inventory management, tracking and auditing. For marijuana this means:
Where did the seeds come from? What strain are they? When were they planted and harvested?

Viridian Sciences caught a little heck last week for their post claiming that the WSLCB site (previously) at http://www.mjtraceability.com/ was being used over a non-encrypted connection.
In fact, the LCB has flatly denied this.
We don’t have any recordings of our findings but, reviewing browser history going back over a few months we could see that the following was true.
http://www.mjtraceability.com/ was begin served over a non-encrypted connection (until at least Jan 12, 2015).